Hot Topics:

In the cloud, an often hazy grasp of security risks

By Paresh Dave Los Angeles Times

Posted:
08/25/2013 10:31:23 AM MDT

Updated:
08/25/2013 10:31:57 AM MDT

Thomas Trappler, director of software licensing for UCLA, also works to help companies mitigate risks when hosting their data on cloud-based servers. "It s easy to overlook security because of the virtual nature of the cloud, " he said.
(
Genaro Molina
)

LOS ANGELES -- When Thomas Trappler talks clouds, companies listen.

But he's not warning about rain. Rather, Trappler is a "cloud" consultant, who tells attorneys, executives and fellow information technology experts what to look out for when they put company databases in the so-called cloud.

As more companies rely on remote cloud servers to store their files, Trappler has become a highly sought-after security adviser, a celebrity of sorts in the rapidly growing cloud computing industry.

"No one's teaching people about this," Trappler said. "At the moment, I don't think there are very many people like me."

Trappler is the director of software licensing at UCLA -- a job that opened the door to his lucrative moonlighting.

For years, he had been buying licenses for programs, such as Microsoft Office, so that UCLA faculty, students and staff could use them. But the rules started to change five years ago as these programs moved into the cloud, turning into apps such as Office 365. Trappler studied until he became a go-to expert nationwide.

"It's easy to overlook security because of the virtual nature of the cloud, but really your data is going over the Internet to another computer and not to some magical world where everything's going to be fine," he said.

The $40 billion cloud industry, as measured by the research firm IDC, is attractive to companies. By transferring files via the Internet to a hard drive located in a data center or server farm, users can access the data from any Internet-connected device.

Online retailer Amazon.com Inc. is one of the largest data center providers, housing data on behalf of thousands of companies including Netflix Inc., Dropbox Inc. and Autodesk Inc. Other large cloud providers are Google Inc., Microsoft Corp. and Rackspace Inc.

What troubles Trappler is that not every company considers security issues before agreeing to bounce consumers' data onto the cloud services. Half of companies surveyed in December by Ponemon Institute, an independent research firm, reported that they had not taken security risks into account when striking cloud deals.

"What most of us are used to is 'I buy it, I maintain it,'" Trappler said. "If something's broken, I can beat on someone's door down the hall and get them to fix it."

Now "it" and "someone" are far away. "And the question is, how do I ensure they do it right," Trappler said.

With spies after trade secrets, hackers out to steal sensitive financial information and the federal government demanding online communications records, the threats are as prominent and varied as they have ever been.

And companies aren't the only ones at risk. Consumers who use Web applications are caught blind in the middle. They often are not told where their sensitive information is being stored and what precautions are being taken to ensure that it's not seen by the wrong eyes.

For example, Google's Cloud Platform website lists BestBuy.com as a client. But the retailer recently moved customer data off the cloud, spokesman Jonathan Sandler said. Its privacy policy doesn't note where data are stored. The policy does state that Best Buy takes "reasonable security measures to protect the confidentiality of personal information under our control and appropriately limit access to it."

Trappler has advised more than 50 companies and has spoken to hundreds of people at conferences about what qualifies as "reasonable measures." Among his clients have been a pharmaceutical firm from New Jersey, a biotechnology company from Southern California and a higher education system in the Midwest. They could not be named because of confidentiality agreements.

He suggests that companies consider, among other things, encryption methods and reliability of the storage computers. Other possibilities include background checks of the cloud provider's employees and clear notification policies in the event of a breach.

The biggest sticking point in deals is often deciding who's responsible for the repercussions when data are stolen. Companies want cloud providers to pick up the tab, since sometimes they have little insight into security measures.

"The client wants to be able to verify the service provider's security claims," Trappler said. "But the more details they reveal, the less secure the provider's infrastructure becomes."

Boulder is pretty good at producing rock bands, and by "rock," we mean the in-your-face, guitar-heavy, leather-clad variety — you know, the good kind. For a prime example, look no farther than BANDITS. Full Story